User story

As a cluster administrator, I want kubelet configuration to be explicitly validated, so that the NodeLogQuery feature gate is required when enableSystemLogQuery is true, ensuring predictable behavior and avoiding unintentionally exposed endpoints.

Description

The NodeLogQuery feature gate in the version of kubelet used by OpenShift defaults to true, which is a change from the upstream Kubernetes default of false.

This leads to an inconsistency where if enableSystemLogQuery is set to true in the kubelet configuration, but NodeLogQuery is omitted from the featureGates map, the node log query endpoints are still enabled.

This behavior is unexpected and can lead to security concerns as endpoints are active without explicit configuration.

This story is to explicity enable enableSystemLogQuery, and the NodeLogQuery feature gate must also be explicitly set to true.

Engineering Details

The issue stems from a downstream patch in OpenShift's Kubernetes fork that changes the default value of the NodeLogQuery feature gate: https://github.com/openshift/kubernetes/blob/a237dcbeee8bbe1440c94349399cc6eac8870910/pkg/features/kube_features.go#L1543

The validation should be added to ensure that the configuration is explicit and consistent with the user's intent.

Acceptance Criteria

• Given a kubelet configuration with enableSystemLogQuery: true.
  When the NodeLogQuery feature gate is not present in the featureGates map. Then the configuration should fail validation with an error message indicating that NodeLogQuery must be enabled.
• Given a kubelet configuration with enableSystemLogQuery: true. When the NodeLogQuery feature gate is explicitly set to false then the configuration should fail validation.
• Given a kubelet configuration with enableSystemLogQuery: true, when the NodeLogQuery feature gate is explicitly set to true, then the configuration should be considered valid and the log query endpoints should be accessible.